HSEC-2023-0007

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0007.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2023-0007

Published

2023-07-22T02:29:32Z

Modified

2025-07-27T20:43:10.081756Z

Summary

readFloat: memory exhaustion with large exponent

Details

`readFloat`: memory exhaustion with large exponent

Numeric.readFloat takes time and memory linear in the size of the number denoted by the input string. In particular, processing a number expressed in scientific notation with a very large exponent could cause a denial of service. The slowdown is observable on a modern machine running GHC 9.4.4:

ghci> import qualified Numeric
ghci> Numeric.readFloat "1e1000000"    -- near instantaneous
[(Infinity,"")]
ghci> Numeric.readFloat "1e10000000"   -- perceptible pause
[(Infinity,"")]
ghci> Numeric.readFloat "1e100000000"  -- ~ 3 seconds
[(Infinity,"")]
ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds
[(Infinity,"")]

In base

Numeric.readFloat is defined for all RealFrac a => a:

readFloat :: RealFrac a => ReadS a

The RealFrac type class does not express any bounds on the size of values representable in the types for which instances exist, so bounds checking is not possible (in this generic function). readFloat uses to Text.Read.Lex.numberToRational which, among other things, calculates 10 ^ exponent, which seems to take linear time and memory.

Mitigation: use read. The Read instances for Float and Double perform bounds checks on the exponent, via Text.Read.Lex.numberToRangedRational.

In toml-reader

The issue was detected in toml-reader version 0.1.0.0, and mitigated in version 0.2.0.0 by immediately returning Infinity when the exponent is large enough that there's no reason to process it.

Database specific

{
    "home": "https://haskell.github.io/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
}

References

Affected packages

Hackage / base

Package

Name: base
Purl: pkg:hackage/base

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.3.1

Affected versions

3.*

3.0.3.1

3.0.3.2

4.*

4.0.0.0

4.1.0.0

4.2.0.0

4.2.0.1

4.2.0.2

4.3.0.0

4.3.1.0

4.4.0.0

4.4.1.0

4.5.0.0

4.5.1.0

4.6.0.0

4.6.0.1

4.7.0.0

4.7.0.1

4.7.0.2

4.8.0.0

4.8.1.0

4.8.2.0

4.9.0.0

4.9.1.0

4.10.0.0

4.10.1.0

4.11.0.0

4.11.1.0

4.12.0.0

4.13.0.0

4.14.0.0

4.14.1.0

4.14.2.0

4.14.3.0

4.15.0.0

4.15.1.0

4.16.0.0

4.16.1.0

4.16.2.0

4.16.3.0

4.16.4.0

4.17.0.0

4.17.1.0

4.17.2.0

4.17.2.1

4.18.0.0

4.18.1.0

4.18.2.0

4.18.2.1

4.18.3.0

4.19.0.0

4.19.1.0

4.19.2.0

4.20.0.0

4.20.0.1

4.20.1.0

4.21.0.0

Database specific

human_link

"https://haskell.github.io/security-advisories/advisory/HSEC-2023-0007.html"

osv

"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0007.json"

Hackage / toml-reader